how to covert mysql 'user' password field

Fritz

I have figured out how to have users create accounts (via a mysql user table... for authentication), with passwords and they are inserted into the mysql databases as encrypted passwords... via

INSERT INTO table (upass) VALUES (password('$upass'))";

BUT in my script to send the user their password... The upass field sends them ONLY the encrypted password...

$upass = $row['upass'];

how do I convert/display the encrypted password so it looks like what the user submitted.

hand

You can't. The encryption is not reversible.
You can alter the password to a random value and send the new altered pwd to your client.

UPDATE table set upass=password('$newpass') WHERE user='$gangster'

PyroX

A, send the user their password via email before you encrypt it, a " welcome to my site " message

B, I don't know for sure if you know this, but compare the encrypted password to the password in the table to validate users

C, if this is for a site that has not real high security data, just use base64_encode and base64_decode for your passwords. ( By sending them over email, your creting a security risk anyway)

D, after you have sent them their password, require a password change the next time they logon.

Fritz

Originally posted by PyroX
A, send the user their password via email before you encrypt it, a " welcome to my site " message

B, I don't know for sure if you know this, but compare the encrypted password to the password in the table to validate users

C, if this is for a site that has not real high security data, just use base64_encode and base64_decode for your passwords. ( By sending them over email, your creting a security risk anyway)

D, after you have sent them their password, require a password change the next time they logon.

wowo thanks PyroX - I need all the 'clues' I can get!

a, I do this when they sign up... my question has more to do with the reality that they will loose this and need to have their password resent to them.

b, are you saying that when I authenticate users that have a password of say 'nyc' and I compare it against say '1c1d49e11dc84179' (what it looks like in my sql table) - there will be a match?

c, base64_encode/decode ??? are these PHP variables? or some format for the field in mysql? Also... Is it really dangerous to simply have my PW field in MYsql just should the non encrypted pwds? This is not for a high security commerce site, but more of a community contact type of site (with a current listing of about 40,000 users and very busy)

d, Not really sure what you mean here. why would I want them to be prompted to change when they log in again?

PyroX

You should still md5 the password in the table.

base64_encode and _decode are functions in almost every web language.

When checking the passwords, do it like this:

page submitted $username and $pass from a form

$pass=md5($pass);
$rs=mysql_query("SELECT * FROM users WHERE pass='$pass' and user='$username'",$db);

if(mysql_num_rows($rs)>1){
echo "Success..";
} else {
echo "Failed..";
}

that help?

Fritz

Originally posted by PyroX
You should still md5 the password in the table.

base64_encode and _decode are functions in almost every web language.

When checking the passwords, do it like this:

page submitted $username and $pass from a form

$pass=md5($pass);
$rs=mysql_query("SELECT * FROM users WHERE pass='$pass' and user='$username'",$db);

if(mysql_num_rows($rs)>1){
echo "Success..";
} else {
echo "Failed..";
}

that help?

INSERT_INTO_table_(upass)_VALUES_(password('$upass'))";

is this what you mean????

I've been fighting with this for hours... and although I really LIKE have the password in the db like this... I just can figure out how to tell the user what there password is via an email request.

PyroX

THat's just it, YOU CANNOT.

You have to reasign them a new password if they forget theirs.

Fritz

Originally posted by PyroX
THat's just it, YOU CANNOT. You have to reasign them a new password if they forget theirs.

thanks for your patience PyroX

Yes... I do realize this from the earlier response... I just frustrated from going round in circles...

So I guess... my best shot is

TO encrypt the password in the datatable. (the user friendly version IS sent to them when they create the account)
WHEN the user forgets their password and request it via their email address.... I find a way to 'generate' some sort of new user friendly password , change the existing one... and send them the new 'user friendly one'.

So.... My best bet is to hunt for a function that will generate a random user friendly password that THEY can receive via email... with a prompt for THEM to change it next time they log in?

Does that may sense?

OR should I consider... hunting for an entire authentication pkg?

techrat

The only way I've found for it to work the way you want, is to store the unencrypted password in a BLOB type field. That way the field is not easily ready by someone attempting to hack the database, but your program can read the PASSWORD field into a readable variable and use it to send the password back to the user.

Not very secure but it gives you the option to either send the user thier password or just reset it. Im working on a similar project at the moment.

Techrat.

Duey

you can decrpyt/encrypt if you have the mcrypt module installed to see if you have make a phpinfo() file and scroll down and look if mcrypt if its there its installed otherwise its not

if it is installed go here for a list of encryption types and how to use it
http://www.php.net/manual/en/ref.mcrypt.php

if its not installed you can download the files from here:
http://mcrypt.hellug.gr/

Weedpacket

Originally posted by Fritz
2. WHEN the user forgets their password and request it via their email address.... I find a way to 'generate' some sort of new user friendly password , change the existing one... and send them the new 'user friendly one'.

So.... My best bet is to hunt for a function that will generate a random user friendly password that THEY can receive via email... with a prompt for THEM to change it next time they log in?

This is something I often do; I sometimes add an extra field in the database which says whether or not the password currently stored is a generated "friendly" one to replace one that was lost, or a proper one the user chose. Then when they log in with the friendly password, I can require them to change it to something of their own, so that they don't just go along with the "friendly" one (which has just been splashed across their mail records).

OR should I consider... hunting for an entire authentication pkg?

I think there's one in the code library on this site (or is it on PHPClasses?)